Amazon GuardDuty added Amazon EKS Runtime Monitoring and RDS Protection for Amazon Aurora. EKS Runtime Monitoring can detect runtime threats from over 30 different security findings. RDS Protection adds support for profiling and monitoring access activity to Aurora databases.
Amazon EKS Runtime Monitoring uses a fully managed EKS add-on to provide visibility into container runtime activities such as file access, process execution, and network connections. It can identify containers within an EKS cluster that are potentially compromised. This includes detecting attempts to escalate privileges from the container to the underlying EC2 host.
Findings generated cover crypto-mining, trojans, unauthorized access, privilege escalation, and attempts to bypass defenses. For example, the finding Trojan:Runtime/BlackholeTraffic!DNS notifies if a container is querying a domain name that is redirecting to a black hole IP address.
DefenseEvasion:Runtime/FilelessExecution triggers if a container process is executing code from memory. While this can be a false positive, it is a technique used to avoid writing an executable to the disk where it might be detected.
Backdoor:Runtime/C&CActivity.B reports if a container is querying an IP that is tied to a known command and control server. If the IP is known to be log4j-related, the following fields will be set to these values in the finding:
service.additionalInfo.threatListName = Amazon
service.additionalInfo.threatName = Log4j Related
EKS Runtime Monitoring is not enabled by default but can be enabled and configured in the GuardDuty console. The service can be configured to automatically deploy and update the EKS-managed add-on for all existing and future EKS clusters. Enabling this option will also create the VPC endpoint for events to be delivered to GuardDuty.
This release builds on the previously released EKS Audit Log Monitoring. EKS Audit Log Monitoring analyzes Kubernetes audit logs directly from the EKS control plane through a duplicated log stream. Kubernetes audit logs capture user activities, applications using the Kubernetes API, and control plane actions.
EKS Runtime Monitoring makes use of runtime logs collected from the hosts. AWS notes that these logs can contain fields, such as file paths, that may have been altered by malicious actors. If the findings are being processed outside of GuardDuty all finding fields must be sanitized appropriately.
Other products in this space include the open-source runtime security tool, Falco. Falco's recent release added support for updating rules at runtime and an experimental eBPF probe. Falco is a Cloud Native Computing Foundation (CNCF) incubated project.
GuardDuty RDS Protection for Amazon Aurora can detect threats such as high-severity brute force attacks, suspicious logins, and access by known threat actors. RDS Protection is enabled by default for new users to GuardDuty but must be enabled for current GuardDuty users. Enabling the service is done through the GuardDuty console.
The new threat detection services are available now within most regions that GuardDuty is available in. More details on Amazon GuardDuty can be found on the AWS site with pricing information on the pricing page.